utils: Improve rule priority support in is_covered/is_equal

- `is_covered` was not checking priorities when checking if a rule is
  covered. With this fix, a rule of lower priority can no longer cover a
  higher priority one.
- Fixes `is_equal(strict=False)` so that priority=0 matches implicit
  priority (as it is defaulted to zero)

Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>

utils/apparmor/rule/__init__.py

@@ -176,7 +176,7 @@ class BaseRule(metaclass=ABCMeta):
         else:
             return self.get_clean(depth)
 
-    def is_covered(self, other_rule, check_allow_deny=True, check_audit=False):
+    def is_covered(self, other_rule, check_allow_deny=True, check_audit=False, check_priority=True):
         """check if other_rule is covered by this rule object"""
 
         if type(other_rule) is not type(self):
@@ -194,6 +194,9 @@ class BaseRule(metaclass=ABCMeta):
         if other_rule.audit and not self.audit:
             return False
 
+        if check_priority and (self.priority or 0) > (other_rule.priority or 0):
+            return False
+
         # still here? -> then the common part is covered, check rule-specific things now
         return self._is_covered_localvars(other_rule)
 
@@ -250,13 +253,14 @@ class BaseRule(metaclass=ABCMeta):
         """compare if rule_obj == self
            Calls _is_equal_localvars() to compare rule-specific variables"""
 
-        if (self.priority != rule_obj.priority
+        if ((self.priority or 0) != (rule_obj.priority or 0)
                 or self.audit != rule_obj.audit
                 or self.deny != rule_obj.deny):
             return False
 
         if strict and (
-            self.allow_keyword != rule_obj.allow_keyword
+            self.priority != rule_obj.priority
+            or self.allow_keyword != rule_obj.allow_keyword
             or self.comment != rule_obj.comment
             or self.raw_rule != rule_obj.raw_rule
         ):